Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Baoyu Danger Gemini Web
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Gemini generation skill is broadly coherent, but it deserves review because it obtains and caches Google session cookies, uses an unpinned runtime command, and includes under-disclosed account-changing capabilities.
Install only if you are comfortable using a reverse-engineered Gemini Web workflow with Google session cookies. Prefer a dedicated Google account/profile, avoid sensitive prompts or reference images, inspect and protect the cookie/session files, and do not allow project-level EXTEND.md settings or Gem mutation actions unless you explicitly trust them.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Installing or invoking the skill gives it access to reusable Google session cookies for the account used in the launched browser profile.
Why it was flagged
The skill retrieves Google session cookies through Chrome DevTools and writes them to a local cookie cache, while the registry metadata declares no primary credential.
Skill content
'Network.getCookies', { urls: ['https://gemini.google.com/', 'https://accounts.google.com/', 'https://www.google.com/'] } ... await write_cookie_file(filtered, resolveGeminiWebCookiePath(), 'cdp');Recommendation
Use only a dedicated Google account or dedicated Chrome profile, review where the cookie file is stored, and remove/revoke the cached session if you stop using the skill.
What this means
A user may run code through an unpinned external package before sending authenticated requests with Google cookies.
Why it was flagged
The documented execution path uses `npx -y bun` without a pinned version or install specification, so runtime code may depend on an unpinned package fetch.
Skill content
npx -y bun ${SKILL_DIR}/scripts/main.ts "Your prompt"Recommendation
Pin and declare the runtime dependency, or require users to install a trusted Bun version instead of using `npx -y` in the default command.
What this means
If invoked by the agent or another skill, these functions could alter or delete Gemini custom Gems in the user's Google account.
Why it was flagged
The authenticated client exposes Gemini Gem creation, update, and deletion functions, but the SKILL.md describes text/image generation rather than account configuration mutation.
Skill content
async create_gem(...) ... async update_gem(...) ... async delete_gem(...)
Recommendation
Remove unused account-mutating methods or gate them behind explicit user requests and confirmations with clear documentation.
What this means
A repository-controlled EXTEND.md could influence where sensitive state is stored or how authenticated traffic is configured.
Why it was flagged
The skill tells the agent to apply project-level or user-level EXTEND.md settings, including proxy and data directory settings, in a workflow that handles Google cookies.
Skill content
Found | Read, parse, apply settings ... EXTEND.md Supports: Default model | Proxy settings | Custom data directory
Recommendation
Do not apply project-level EXTEND.md settings for proxy, cookie, or data-directory behavior without explicit user approval and validation.
Medium
What this means
The skill may keep maintaining an authenticated Google session beyond a single request unless the client is closed correctly.
Why it was flagged
The client defaults to a background cookie-refresh loop that rotates and rewrites Google cookie state while the process remains alive.
Skill content
public auto_refresh: boolean = true; ... void this.start_auto_refresh(ctl.signal); ... while (!signal.aborted) { ... rotate_1psidts ... await sleep(this.refresh_interval * 1000, signal); }Recommendation
Document this behavior clearly, ensure the CLI always closes the client, and provide a user-facing option to disable automatic refresh.
What this means
The skill will open and control a browser instance for authentication.
Why it was flagged
The skill launches a local Chrome or Edge executable for login and cookie collection; this is purpose-aligned but still local process execution.
Skill content
return spawn(chrome, args, { stdio: 'ignore' });Recommendation
Only run it in an environment where launching Chrome with remote debugging is acceptable, and verify the configured Chrome path is trusted.